Configure standard logging (v2)
You can enable standard logging when you create or update a distribution. Standard logging (v2) includes the following features:
-
Send access logs to Amazon CloudWatch Logs, Amazon Data Firehose, and Amazon Simple Storage Service (Amazon S3).
-
Select the log fields that you want. You can also select a subset of real-time log fields.
-
Select additional output log file formats.
If you’re using Amazon S3, you have the following optional features:
-
Send logs to opt-in AWS Regions.
-
Organize your logs with partitioning.
-
Enable Hive-compatible file names.
For more information, see Send logs to Amazon S3.
To get started with standard logging, complete the following steps:
-
Set up your required permissions for the specified AWS service that will receive your logs.
-
Configure standard logging from the CloudFront console or the CloudWatch API.
-
View your access logs.
Note
-
If you enable standard logging (v2), this doesn’t affect or change standard logging (legacy). You can continue to use standard logging (legacy) for your distribution, in addition to using standard logging (v2). For more information, see Configure standard logging (legacy).
-
If you already enabled standard logging (legacy) and you want to enable standard logging (v2) to Amazon S3, we recommend that you specify a different Amazon S3 bucket or use a separate path in the same bucket (for example, use a log prefix or partitioning). This helps you keep track of which log files are associated with which distribution and prevents log files from overwriting each other.
Permissions
CloudFront uses CloudWatch vended logs to deliver access logs. To do so, you need permissions to the specified AWS service so that you can enable logging delivery.
To see the required permissions for each logging destination, choose from the following topics in the Amazon CloudWatch Logs User Guide.
After you have set up permissions to your logging destination, you can enable standard logging for your distribution.
Note
CloudFront supports sending access logs to different AWS accounts (cross accounts). To enable cross-account delivery, both accounts (your account and the receiving account) must have the required permissions. For more information, see Cross-account delivery example in the Amazon CloudWatch Logs User Guide.
Enable standard logging
To enable standard logging, you can use the CloudFront console or the CloudWatch API.
Enable standard logging (CloudFront console)
To enable standard logging for a CloudFront distribution (console)
-
Use the CloudFront console to create a new distribution or update an existing one.
-
Under the Standard logging section, for Log delivery, choose On.
-
(Optional) For Cookie logging, specify if you want to include cookies in your logs.
Tip
Cookie logging is a global setting that applies to all standard logging for your distribution. You can’t override this setting for separate delivery destinations.
-
For the Deliver to section, specify the service to receive your logs:
-
CloudWatch Logs
-
Firehose
-
Amazon S3
-
-
For the Destination, select the resource for your service. If you haven’t already created your resource, you can choose Create or see the following documentation.
-
For CloudWatch Logs, enter the Log group name.
-
For Firehose, enter the Firehose delivery stream.
-
For Amazon S3, enter the Bucket name.
-
-
For Additional settings – optional, you can specify the following options:
-
For Field selection, select the log field names that you want to deliver to your destination. You can select access log fields and a subset of real-time log fields.
-
(Amazon S3 only) For Partitioning, specify the path to partition your log file data.
-
(Amazon S3 only) For Hive-compatible file format, you can select the checkbox to use Hive-compatible S3 paths. This helps simplify loading new data into your Hive-compatible tools.
-
For Output format, specify your preferred format.
Note
If you choose Parquet, this option incurs CloudWatch charges for converting your access logs to Apache Parquet. For more information, see the Vended Logs section for CloudWatch pricing
. -
For Field delimiter, specify how to separate log fields.
-
-
Complete the steps to update or create your distribution.
-
To add another destination, choose Add another destination and repeat steps 4 – 7.
-
From the Logs page, verify that the standard logs status is Enabled next to the distribution.
For more information about the standard logging delivery and log fields, see the Standard logging reference.
Enable standard logging (CloudWatch API)
You can also use the CloudWatch API to enable standard logging for your distributions.
Note
There is an additional option to include cookies in standard logging. In the
CloudFront API, this is the IncludeCookies
parameter. If you configure
access logging by using the CloudWatch API and you specify that you want to include
cookies, you must use the CloudFront console or CloudFront API to update your distribution
to include cookies. Otherwise, CloudFront can’t send cookies to your log destination.
For more information, see Cookie logging.
To enable standard logging for a distribution (CloudWatch API)
-
After you a create a distribution, get the Amazon Resource Name (ARN).
You can find the ARN from the Distribution page in the CloudFront console or you can use the GetDistribution API operation. A distribution ARN follows the format:
arn:aws:cloudfront::123456789012:distribution/d111111abcdef8
-
Next, use the CloudWatch PutDeliverySource API operation to create a delivery source for the distribution.
-
Enter a name for the delivery source.
-
Pass the
resourceArn
of the distribution. -
For
logType
, specifyACCESS_LOGS
as the type of logs that are collected. -
Example AWS CLI put-delivery-source command
The following is an example of configuring a delivery source for a distribution.
aws logs put-delivery-source --name S3-delivery --resource-arn arn:aws:cloudfront::123456789012:distribution/d111111abcdef8 --log-type ACCESS_LOGS
Output
{ "deliverySource": { "name": "S3-delivery", "arn": "arn:aws:logs:us-east-1:123456789012:delivery-source:S3-delivery", "resourceArns": [ "arn:aws:cloudfront::123456789012:distribution/d111111abcdef8" ], "service": "cloudfront", "logType": "ACCESS_LOGS" } }
-
-
Use the PutDeliveryDestination API operation to configure where to store your logs.
-
For
destinationResourceArn
, specify the ARN of the destination. This can be a CloudWatch Logs log group, a Firehose delivery stream, or an Amazon S3 bucket. -
For
outputFormat
, specify the output format for your logs.
Example AWS CLI put-delivery-destination command
The following is an example of configuring a delivery destination to an Amazon S3 bucket.
aws logs put-delivery-destination --name S3-destination --delivery-destination-configuration destinationResourceArn=arn:aws:s3:::amzn-s3-demo-bucket
Output
{ "name": "S3-destination", "arn": "arn:aws:logs:us-east-1:123456789012:delivery-destination:cf-dest", "deliveryDestinationType": "S3", "deliveryDestinationConfiguration": { "destinationResourceArn": "arn:aws:s3:::amzn-s3-demo-bucket" } }
Note
If you're delivering logs cross-account, you must use the PutDeliveryDestinationPolicy API operation to assign an AWS Identity and Access Management (IAM) policy to the destination account. The IAM policy allows delivery from one account to another account.
-
-
Use the CreateDelivery API operation to link the delivery source to the destination that you created in the previous steps. This API operation associates the delivery source with the end destination.
-
For
deliverySourceName
, specify the source name. -
For
deliveryDestinationArn
, specify the ARN for the delivery destination. -
For
fieldDelimiter
, specify the string to separate each log field. -
For
recordFields
, specify the log fields that you want. -
If you’re using S3, specify whether to use
enableHiveCompatiblePath
andsuffixPath
.
Example AWS CLI create-delivery command
The following is an example of creating a delivery.
aws logs create-delivery --delivery-source-name cf-delivery --delivery-destination-arn arn:aws:logs:us-east-1:123456789012:delivery-destination:cf-dest
Output
{ "id": "abcNegnBoTR123", "arn": "arn:aws:logs:us-east-1:123456789012:delivery:abcNegnBoTR123", "deliverySourceName": "cf-delivery", "deliveryDestinationArn": "arn:aws:logs:us-east-1:123456789012:delivery-destination:cf-dest", "deliveryDestinationType": "S3", "recordFields": [ "date", "time", "x-edge-location", "sc-bytes", "c-ip", "cs-method", "cs(Host)", "cs-uri-stem", "sc-status", "cs(Referer)", "cs(User-Agent)", "cs-uri-query", "cs(Cookie)", "x-edge-result-type", "x-edge-request-id", "x-host-header", "cs-protocol", "cs-bytes", "time-taken", "x-forwarded-for", "ssl-protocol", "ssl-cipher", "x-edge-response-result-type", "cs-protocol-version", "fle-status", "fle-encrypted-fields", "c-port", "time-to-first-byte", "x-edge-detailed-result-type", "sc-content-type", "sc-content-len", "sc-range-start", "sc-range-end" ], "fieldDelimiter": "" }
-
-
From the CloudFront console, on the Logs page, verify that the standard logs status is Enabled next to the distribution.
For more information about the standard logging delivery and log fields, see the Standard logging reference.
Output file format
Depending on the delivery destination that you choose, you can specify one of the following formats for log files:
-
JSON
-
Plain
-
w3c
-
Raw
-
Parquet (Amazon S3 only)
Note
You can only set the output format when you first create the delivery destination. This can't be updated later. To change the output format, delete the delivery and create another one.
For more information, see PutDeliveryDestination in the Amazon CloudWatch Logs API Reference.
Edit standard logging settings
You can enable or disable logging and update other log settings by using the CloudFront console
For more information, see the following topics:
-
To update a distribution by using the CloudFront console, see Update a distribution.
-
To update a distribution by using the CloudFront API, see UpdateDistribution in the Amazon CloudFront API Reference.
-
For more information about CloudWatch Logs API operations, see the Amazon CloudWatch Logs API Reference.
Access log fields
You can select the same log fields that standard logging (legacy) supports. For more information, see log file fields.
In addition, you can select the following real-time log fields.
-
timestamp(ms)
– Timestamp in milliseconds. -
origin-fbl
– The number of seconds of first-byte latency between CloudFront and your origin. -
origin-lbl
– The number of seconds of last-byte latency between CloudFront and your origin. -
asn
– The autonomous system number (ASN) of the viewer.
Send logs to CloudWatch Logs
To send logs to CloudWatch Logs, create or use an existing CloudWatch Logs log group. For more information about configuring a CloudWatch Logs log group, see Working with Log Groups and Log Streams.
After you create your log group, you must have the required permissions to allow standard logging. For more information about the required permissions, see Logs sent to CloudWatch Logs in the Amazon CloudWatch Logs User Guide.
Note
Verify that your log group resource policy doesn't exceed the size limit. See the Log group resource policy size limit considerations section in the CloudWatch Logs topic.
Example access log sent to CloudWatch Logs
{ "date": "2024-11-14", "time": "21:34:06", "x-edge-location": "SOF50-P2", "asn": "16509", "timestamp(ms)": "1731620046814", "origin-fbl": "0.251", "origin-lbl": "0.251", "x-host-header": "d111111abcdef8.cloudfront.net", "cs(Cookie)": "examplecookie=value" }
Send logs to Firehose
To send logs to Firehose, create or use an existing Firehose delivery stream.
For information about creating your delivery stream, see Creating an Amazon Data Firehose delivery stream.
After you create your delivery stream, you must have the required permissions to allow standard logging. For more information, see Logs sent to Firehose in the Amazon CloudWatch Logs User Guide.
Example access log sent to Firehose
{"date":"2024-11-15","time":"19:45:51","x-edge-location":"SOF50-P2","asn":"16509","timestamp(ms)":"1731699951183","origin-fbl":"0.254","origin-lbl":"0.254","x-host-header":"d111111abcdef8.cloudfront.net","cs(Cookie)":"examplecookie=value"} {"date":"2024-11-15","time":"19:45:52","x-edge-location":"SOF50-P2","asn":"16509","timestamp(ms)":"1731699952950","origin-fbl":"0.125","origin-lbl":"0.125","x-host-header":"d111111abcdef8.cloudfront.net","cs(Cookie)":"examplecookie=value"}
Send logs to Amazon S3
To send your access logs to Amazon S3, create or use an existing S3 bucket. When you enable logging in CloudFront, specify the bucket name. For information about creating a bucket, see Create a bucket in the Amazon Simple Storage Service User Guide.
Note
If you already enabled standard logging (legacy) and you want to enable standard logging (v2) to Amazon S3, we recommend that you specify a different Amazon S3 bucket or use a separate path in the same bucket (for example, use a log prefix or partitioning). This helps you keep track of which log files are associated with which distribution and prevents log files from overwriting each other.
After you create your bucket, you must have the required permissions to allow standard logging. For more information, see Logs sent to Amazon S3 in the Amazon CloudWatch Logs User Guide.
-
After you enable logging, AWS automatically adds the required bucket policies for you.
-
You can also use S3 buckets in the opt-in AWS Regions.
You can specify the following options.
Partitioning
You can use partitioning to organize your access logs when CloudFront sends them to your S3 bucket. This helps you organize and locate your access logs based on the path that you want.
You can use the following variables to create a folder path.
-
{DistributionId}
-
{yyyy}
-
{MM}
-
{dd}
-
{HH}
You can use any number of variables and specify folder names in your path. CloudFront then uses this path to create a folder structure for you in the S3 bucket.
Examples
-
my_distribution_log_data
/{DistributionId}/logs
-
/
cloudfront
/{DistributionId}/my_distribution_log_data
/{yyyy}/{MM}/{dd}/{HH}/logs
Hive-compatible file name format
You can use this option so that S3 objects that contain delivered access logs use a prefix structure that allows for integration with Apache Hive. For more information, see the CreateDelivery API operation.
Example
/
cloudfront
/DistributionId={DistributionId}/my_distribution_log_data
/year={yyyy}/month={MM}/day={dd}/hour={HH}/logs
Example access log sent to Amazon S3
#Fields: date time x-edge-location asn timestamp(ms) x-host-header cs(Cookie) 2024-11-14 22:30:25 SOF50-P2 16509 1731623425421 d111111abcdef8.cloudfront.net examplecookie=value2
Delete log files
CloudFront doesn't automatically delete log files from your destination. For information about deleting log files, see the following topics:
Amazon S3
-
Deleting objects in the Amazon Simple Storage Service Console User Guide
CloudWatch Logs
-
Working with log groups and log streams in the Amazon CloudWatch Logs User Guide
-
DeleteLogGroup in the Amazon CloudWatch Logs API Reference
Firehose
-
DeleteDeliveryStream in the Amazon Data Firehose API Reference
Pricing
CloudFront doesn’t charge for enabling standard logs. However, you can incur charges for the delivery, ingestion, storage or access, depending on the log delivery destination that you select.
For more information, see the following topics to the pricing information for each logging destination type:
-
CloudWatch Logs – The charges are for vended log delivery. See CloudWatch Logs Pricing
-
Under Paid Tier, choose the Logs tab, and then under Vended Logs, see the information for Delivery to CloudWatch Logs.
Note
If you choose Parquet, this option incurs CloudWatch charges for converting your access logs to Apache Parquet. For more information, see the Vended Logs section for CloudWatch pricing
.
-
-
Firehose – See Amazon Data Firehose
-
Amazon S3 buckets – The Amazon S3 charges are the combined charges for CloudWatch Logs vended log delivery to the Amazon S3 buckets and for using Amazon S3.
-
For Amazon S3, see Amazon S3 Pricing
. -
For CloudWatch Logs vended log delivery to the Amazon S3, see Amazon CloudWatch Logs Pricing
. Under Paid Tier, choose the Logs tab, and then under Vended Logs, see the information for Delivery to S3
-